Grails resources plug-in WEB-INF / META-INF File Disclosure

This script is Copyright (C) 2014-2015 Tenable Network Security, Inc.

Synopsis :

A Java web application framework in use on the remote web server is
affected by an information disclosure vulnerability.

Description :

The remote web server uses a version of Grails, an open source web
application framework for JVM, that is affected by an information
disclosure vulnerability. Specifically, its 'resources' plug-in fails
to restrict access to resources located under an application's
'WEB-INF' and 'META-INF' directories by default. A remote attacker
could leverage this to retrieve the contents of class or configuration
files, such as web.xml, which should be private, including in other
web applications using directory traversal sequences.

See also :

Solution :

Upgrade the 'resources' plug-in to 1.2.6, configure it to block access
to resources under 'WEB-INF' and 'META-INF', and redploy the affected

Alternatively, block access to the 'WEB-INF' and 'META-INF'
directories in a reverse proxy.

Risk factor :

Medium / CVSS Base Score : 5.0
CVSS Temporal Score : 4.3
Public Exploit Available : true

Family: CGI abuses

Nessus Plugin ID: 72757 ()

Bugtraq ID: 65678

CVE ID: CVE-2014-0053

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now